cryptech
play

Cryptech The Open Hardware Security Module Platform Joachim - PowerPoint PPT Presentation

Feb 22, 2024 •393 likes •896 views

Cryptech The Open Hardware Security Module Platform Joachim Strmbergson ::1 Assured AB https://github.com/secworks IT security Embedded systems ASIC, FPGA Biometrics Open Crypto Hardware CPU design Assembly hacking Hardware Security

  1. Cryptech The Open Hardware Security Module Platform

  2. Joachim Strömbergson ::1 Assured AB https://github.com/secworks IT security Embedded systems ASIC, FPGA Biometrics Open Crypto Hardware CPU design Assembly hacking

  3. Hardware Security Modules Black Boxes FTW

  4. Hardware Security Module (HSM) • Dedicated appliance for cryptographic operations • Generate, use and store secrets (private keys in PKI) • Protect secrets • Offload sensitive operations from general systems • Crypto acceleration • Very expensive • Very few vendors • National interests – strong connections to agencies

  5. Hardware Security Module (HSM) Physical enclosure Management interface Storage of CPU Crypto private keys, acceleration secrets Application interface Random PKCS#11 Random Number physical Generator process (RNG)

  7. Hardware Security Module (HSM) • PKCS#11 • Public Key Crypto Standard. And API • Object types for RSA keys, X.509 Certificates • Generate, Sign, Seal, Verify, Export • RSA Security, now OASIS • NIST FIPS 140-2, 140-2, Common Criteria, NIST SP 800-90, BSI AIS31

  9. IBM 4758 PCI HSM

  13. The random-number generators used for key generation are fatally flawed, and have generated real certificatescontaining keys that provide no security whatsoever.

  14. Dual_EC_DRBG in SP 800-90

  15. Faulty RSA key generation (ROCA) in Secure Element chips from Infineon. >1 Billion(!) devices affected globally

  16. HSM Vulnerabilities • CVE-2015-5464: SafeNet Luna remote key export restriction bypass • CVE-2015-1878: Thales nShield arbitrary sign, key extract

  17. The Cryptech Project Towards Open HSMs

  18. The Cryptech Project • Multi-year effort to move towards an open HSM platform developed using open, auditable and trusted tools. • Started at the suggestion of Russ Housley, Jari Arkko, and Stephen Farrel of the IETF to meet the assurance needs of supporting IETF protocols in an open and transparent manner. • Composable, e.g. "Give me a key store and signer suitable for DNSsec “ • Reasonable assurance by being open, diverse design team • Core team from Sweden, Russia, USA, Germany, Japan, Ireland • Open development, signed commits to Git repos etc

  19. The Cryptech Project • 2-clause BSD license for all SW, FPGA source code • All cores for crypto acceleration in HW (AES, SHA-256, RSA, EC) • Creative Commons for all drawings, documents • PCB layout, Bill of Materials (BoM) • Repos accessible via trac: https://trac.cryptech.is/ ’ • Maillists: https://trac.cryptech.is/wiki/MailingLists • Step by step towards open toolchain • Goal is to be able to do reproducible builds, traceable builds

  20. The Cryptech Project • Verilog (2001) for all FPGA cores • Functional models in C, Python, Verilog • Icarus Verilog, Verilator used for simulations, linting • C, asm, Python, Bash, Make for SW and integration • Mainly GCC. Some Clang/llvm for static analysis etc • OpenOCD for debug, FW download etc

  21. Terasic DE0-Nano • Very simple, cheap FPGA with Altera/Intel Cyclone device • Cheap and easy to use. • Used to develop first cores and core test system • Slow and not very open platform • Intel/Altera tools required

  22. The Novena Open Laptop by Bunnie Huang • Quad Core Cortex A9 MCU @ 1.2 GHz • BLOB-free firmware and SW • Xilinx Spartan-6 FPGA • Huge number of interfaces, peripherals http://www.kosagi.com/w/index.php?title=Novena_Main_Page

  24. CrypTech Noise Boards

  25. The Cryptech TRNG

  26. CrypTech Bridge Board

  27. The Cryptech Alpha board Our current platform

  28. The Cryptech Alpha Board

  29. The CrypTech Alpha Board • ARM Cortex M4F based main CPU (STM32F429) • Xilinx Artix-7 T200 FPGA • AVR 8-bit MCU for tamper protection • PKCS#11 and management SW developed by the project • Comprehensive set of FPGA cores developed by the project • RSA, EC, AES, ChaCha • SHA-1, SHA-2, SHA-3 • Keywrap, TRNG • SPI master, external interfaces, GPIOs

  30. The CrypTech Alpha Board • Complete HSM design usable for PKCS#11 applications • Usable for people that are used to handle PCBs, like electronics • Really good random number generator • Extensively evaluated (in-house, Cisco etc) • FPGA development requires tools from FPGA vendor Xilinx The Xilinx Vivado IDE • Free as in beer, but not open, not auditable • FPGA core simulation done using open tools is 20 GBytes • Icarus Verilog, Verilator • PCB design using commercial tool from Altium • Design has been converted to KiCAD after Alpha completion • All SW developed using open tools • GCC, Clang/LLVM, OpenOCD etc

  31. Application PKCS#11 Management Tamper detect FPGA PKCS#11 FMC Tamper MKM KEY Mgmnt ECC SHA-256 AVR SRAM WRAP MCU Noise RSA TRNG RSA source ModExp RSA ModExp RSA Storage ModExp ModExp

  32. The CrypTech Alpha Board • The MCU – FPGA bus FMC is a performance bottleneck • Long latency and low capacity (clock speed, data width) • All cores are slaves. CPU needs to do R-W to move data (over FMC) • A lot of crypto functionality still in the MCU • Chinese Remeinder Theorem (CRT) for RSA key generation • Secrets are exposed in the MCU, secrets move across the FMC • The MCU is not an open design • A lot of kitchen sinks (peripherals, functionality) not needed, not trusted Performance, security and openess can be improved

  33. Master Key Memories Your black box has black boxes inside

  34. Tamper response, root of trust • Secrets are stored in flash memory • Keys in storage are encrypted (wrapped) • RFC 5649 AES-KEYWRAP, RFC 5297 AES-SIV-CMAC • The key used to wrap secrets is called Master Key or Key Encryption Key (KEK) • Single point of failure – Losing the KEK means that secrets are lost • Used to implement rapid tamper response • KEK is zeroised when a tamper event is detected • Master Key Memory and detection circuit is powered by battery

  35. KEK storage – Security Managers • Specialized, low power chips • BGAs, no external components, internal clocks • Implements functions for detection of tamper events • Switches, ĺight sensors, movement, temperature • RAM based key storage with imprinting, remanence protection • Key rotation, key inversion • Often combined with authentication, root of trust functions • HMAC-SHA256 or PKI based • Commercial devices with few vendors • Maxim DeepCover • NDAs required, info hard to get • They are black boxes too!

  36. KEK storage in Cryptech • The KEK is the key to the protection of stored secrets • Having a black box as the fundamental part of the security is NOT accepted • Master Key Memory is a standard, serial SRAM • Power supply connected to tamper switches • Tamper control is a low power, 8-bit AVR processor • Can be powered by a battery • Tamper FW developed by the Cryptech project using open tools (AVR-GCC) • Not very fast, not integrated with the memory – but open We are working on a much better solution

  37. Cryptech Status What we do right now What we will do

  38. Accomplishments 2018 • Performance Improvements • Revising and updating implementation to improve performance • Steps towards improved security. FPGA implementation of RFC 5649 AES-KEYWRAP • Hash-based Signatures • Implementation of David McGrew’s hash -based signature draft: https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs/?include_text=1 • Quantum resistant signature scheme with potential uses in signing code updates • Ed25519 HW core • Edwards-curve signature algorithm • Crypto implementation done, working on drivers • Could implement x25519 without a lot of additional effort if needed

  39. Accomplishments 2018 • External Security Code Audit • Completed in September of this year • Cure53 report is on our website: https://cryptech.is/2018/10/external-security-audit-completed/ • No critical vulnerabilities • Identified vulnerabilities fixed by year-end

  40. Ongoing developments • Performance Improvements • Totally new RSA core architecture is being developed (10x – 20x seems possible) • Hunting latencies for FPGA – SW communication • Endian conversion in SW being moved to HW in the FPGA • We can do memcpy() now Committed last night • Improving FPGA clock speed through floorplanning • 100+ MHz

  41. Ongoing developments • Security improvements • Moving SW crypto processing into the FPGA • PKCS#11 and management still in the STM32 MCU • Adding DMA engine inside FPGA for core – core transfer • Eliminate transfer of sensitive data across the FMC bus • Reproducible builds for releases • MCU, FPGA, Tamper

  42. Open Master Key Memory • Develop an open MKM, implemented in a FPGA • Lattice iCE40 – no external config mem, very lower power consumption • BGA device that can be mounted on PCB back to back with main FPGA • Active tamper detection with ns tamper response time • Zeroisation of KEK with remanence/imprinting protection • Open toolchain and auditable FPGA bitstream • http://www.clifford.at/icestorm/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. These

977 views • 34 slides
Symmetric-Key Cryptography CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Symmetric-Key Cryptography CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Symmetric-Key Cryptography CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca

679 views • 41 slides
La Larg rge-scale le Qu Quantum um Netwo work rk: : Fr From In Intra ra-cit ity y to

La Larg rge-scale le Qu Quantum um Netwo work rk: : Fr From In Intra ra-cit ity y to

La Larg rge-scale le Qu Quantum um Netwo work rk: : Fr From In Intra ra-cit ity y to In Inter-Cit ity y to Glo lobal l Yu-Ao Chen National Lab for Physical Sciences at the Microscale, University of Science and

610 views • 43 slides
Large-Scale Data Engineering Some notes on Access Patterns, Latency, Bandwidth + Tips for

Large-Scale Data Engineering Some notes on Access Patterns, Latency, Bandwidth + Tips for

Large-Scale Data Engineering Some notes on Access Patterns, Latency, Bandwidth + Tips for practical event.cwi.nl/lsde Memory Hierarchy event.cwi.nl/lsde Hardware Progress Transistors CPU performance event.cwi.nl/lsde RAM,Disk Improvement

1.23k views • 21 slides
ASPPH Presents Webinar: Managing Compliance Challenges Involving Global Collaborators Method for

ASPPH Presents Webinar: Managing Compliance Challenges Involving Global Collaborators Method for

ASPPH Presents Webinar: Managing Compliance Challenges Involving Global Collaborators Method for Submitting Questions/Comments Moderator Penny Gordon-Larsen, PhD Associate Dean for Research Professor, Department of Nutrition UNC Gillings

1.24k views • 58 slides
Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a brief introduction to symmetric and asymmetric cryptographic primitives, pointing out some relevant design principles and security properties.

532 views • 26 slides
Tools for Censorship Resistance Rachel Greenstadt greenie@eecs.harvard.edu CIH2K5 March 2005

Tools for Censorship Resistance Rachel Greenstadt greenie@eecs.harvard.edu CIH2K5 March 2005

Tools for Censorship Resistance Rachel Greenstadt greenie@eecs.harvard.edu CIH2K5 March 2005 Tools for Censorship Resistance p.1/36 Overview Approaches to Censorship Circumvention methods Case study: China Censorship in a free

628 views • 36 slides
Public Key Cryptography and Cryptographic Hashes CS461/ECE422 Fall 2009 Reading Computer

Public Key Cryptography and Cryptographic Hashes CS461/ECE422 Fall 2009 Reading Computer

Public Key Cryptography and Cryptographic Hashes CS461/ECE422 Fall 2009 Reading Computer Security: Art and Science Chapter 9 Handbook of Applied Cryptography, Chapter 8 http://www.cacr.math.uwaterloo.ca/hac/ Public-Key

486 views • 47 slides
Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline Divisibility and Modular Arithmetic 1 Primes

822 views • 40 slides
Prime numbers (cryptography) 2 GCD Let d | a mean Example: 5 | 10, as 10 = 2 * 5 The

Prime numbers (cryptography) 2 GCD Let d | a mean Example: 5 | 10, as 10 = 2 * 5 The

1 Prime numbers (cryptography) 2 GCD Let d | a mean Example: 5 | 10, as 10 = 2 * 5 The greatest common divisor between a and b is: gcd(a,b) = max x s.t. x | a and x | b 3 GCD Oddly, another definition of gcd is: gcd also has

611 views • 33 slides
Prime numbers (cryptography) 2 Announcements Test next Tuesday Homework due Sunday 3 GCD

Prime numbers (cryptography) 2 Announcements Test next Tuesday Homework due Sunday 3 GCD

1 Prime numbers (cryptography) 2 Announcements Test next Tuesday Homework due Sunday 3 GCD Let d | a mean Example: 5 | 10, as 10 = 2 * 5 The greatest common divisor between a and b is: gcd(a,b) = max x s.t. x | a and x | b 4 GCD

490 views • 34 slides
Cryptography Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh,

Cryptography Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh,

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner,

369 views • 17 slides
Definitions Topic 18 Binary Trees A tree is an abstract data type root node internal one entry

Definitions Topic 18 Binary Trees A tree is an abstract data type root node internal one entry

Definitions Topic 18 Binary Trees A tree is an abstract data type root node internal one entry point, the root nodes "A tree may grow a Each node is either a leaf or an internal node thousand feet tall, but An internal node has 1 or

286 views • 13 slides
The Aldous diffusion on continuum trees Soumik Pal University of Washington, Seattle Vienna

The Aldous diffusion on continuum trees Soumik Pal University of Washington, Seattle Vienna

The Aldous diffusion on continuum trees Soumik Pal University of Washington, Seattle Vienna probability seminar Jun 11, 2019 Noah Forman, Douglas Rizzolo, Matthias Winkel arXiv:1804.01205, 1802.00862, 1609.06707 Thanks to NSF, UW RRF, EPSRC

1.03k views • 46 slides
INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from

INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from

INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from http://informationretrieval.org/ IR 23/25: Hierarchical Clustering & Text Classification Redux Paul Ginsparg Cornell University, Ithaca, NY

908 views • 73 slides
Handwritten Chinese Text Recognition Wenchao Wang, Jun Du and Zi-Rui Wang University of Science

Handwritten Chinese Text Recognition Wenchao Wang, Jun Du and Zi-Rui Wang University of Science

Parsimonious HMMs for Offline Handwritten Chinese Text Recognition Wenchao Wang, Jun Du and Zi-Rui Wang University of Science and Technology of China ICFHR 2018, Niagara Falls, USA, Aug. 5-8, 2018 1 Background Offline handwritten Chinese

332 views • 15 slides
Computational Social Science: Methods and Applications Anjalie Field, anjalief@cs.cmu.edu 1

Computational Social Science: Methods and Applications Anjalie Field, anjalief@cs.cmu.edu 1

Computational Social Science: Methods and Applications Anjalie Field, anjalief@cs.cmu.edu 1 Language Technologies Institute Overview Defining computational social science Sample problems Common Methodology (Topic Models)

1.42k views • 44 slides
The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC SSL/TLS

The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC SSL/TLS

The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC SSL/TLS : Earth's most popular cryptographic system How strong is this infrastructure? at best, as good as its ability to authenticate the other party

1.18k views • 76 slides
Theory of Computer Games: Selected Advanced Topics Tsan-sheng Hsu tshsu@iis.sinica.edu.tw

Theory of Computer Games: Selected Advanced Topics Tsan-sheng Hsu tshsu@iis.sinica.edu.tw

Theory of Computer Games: Selected Advanced Topics Tsan-sheng Hsu tshsu@iis.sinica.edu.tw http://www.iis.sinica.edu.tw/~tshsu 1 Abstract Some advanced research issues. The graph history interaction (GHI) problem. Opponent models.

1.22k views • 46 slides
Do Employers Prefer Undocumented Workers? Evidence from Chinas Hukou System Peter Kuhn a Kailing

Do Employers Prefer Undocumented Workers? Evidence from Chinas Hukou System Peter Kuhn a Kailing

Do Employers Prefer Undocumented Workers? Evidence from Chinas Hukou System Peter Kuhn a Kailing Shen b April 23, 2015 This research is supported by the National Natural Science Foundation of China through Grant No. 71203188, titled

857 views • 73 slides
Free Trade Agreements a global perspective March 2015 Agenda Part 1 Introduction by

Free Trade Agreements a global perspective March 2015 Agenda Part 1 Introduction by

www.pwc.com/ch Free Trade Agreements a global perspective March 2015 Agenda Part 1 Introduction by Ambassador Thomas Kupfer Part 2 European Overview Part 3 Free Trade Agreement an overview Part 4 Practical and operational challenges

492 views • 47 slides
Professional Issues Poor oral presentation skills Poor literary skills Communicating in

Professional Issues Poor oral presentation skills Poor literary skills Communicating in

Employers' views of graduates (Remember this?) Inarticulate and illiterate: Professional Issues Poor oral presentation skills Poor literary skills Communicating in English grammar, sentence structure, punctuation, spelling 1

340 views • 8 slides
L ECTURE 9 Last time Approximate counting Estimation of the 2 nd moment Linear

L ECTURE 9 Last time Approximate counting Estimation of the 2 nd moment Linear

Sublinear Algorithms L ECTURE 9 Last time Approximate counting Estimation of the 2 nd moment Linear sketching Today Multipurpose sketches Count-min and count-sketch Range queries, heavy hitters, quantiles 10/1/2020 Sofya

458 views • 14 slides
Natural Language Processing Spring 2017 Professor Liang Huang Doesnt Google know everything?

Natural Language Processing Spring 2017 Professor Liang Huang Doesnt Google know everything?

Natural Language Processing Spring 2017 Professor Liang Huang Doesnt Google know everything? What animal does a cat eat? Retrieved August 2010 2 Even Key Word Queries Paris Hilton -- not easy to book! (vs. Boston Hilton) 3 Ambiguity

537 views • 35 slides

More recommend